Encrypted authentication via PAM

Jeff Williams willi290 at tc.umn.edu
Mon Sep 10 01:01:08 GMT 2001


I am hoping to do something out of the ordinary for authentication and
would like any advice people have.

I would like to have users (NT and 2000) login to a SAMBA PDC and have their
username and NT password hash (in the password field) sent along into
PAM_Auth_Radius or PAM_Radius_Auth to go to a RADIUS server that will check
against the NT MD4 hash of the password.  Then the result would be sent back
to PAM and into SAMBA as a grant or deny.
I do not control the RADIUS server (or the password list), or I would be able
to solve this easily with the passwords.  I convinced the data owners to add
this extra NT PW Hash attribute in case I get this to work.  Password changes
all go through a different system.

I know that plain text logins can use PAM, and that normally encrypted ones
I've looked at both the ntlm v1 and plaintext sections of smbd and
am a bit overwhelmed.  Are there multiple pieces I would change or just the one
I found?  Is the 8 bit piece that is added to the 16 bits going to be a problem
in checking against an NT MD4 pw hash? Will session related code give me any

I thank all who respond and all who have worked on SAMBA.


More information about the samba-technical mailing list